Hackers can ‘steal’ ballots from EVMs

Computer scientists have demonstrated how criminals could hack an electronic voting machine (EVM) and ‘steal’ votes using a malicious programming approach that had not been invented when the voting machine was designed.

The team of scientists from the Universites of California, San Diego, Michigan and Princeton employed “return-oriented programming” to force an electronic voting machine to turn against itself.

“Voting machines must remain secure throughout their entire service lifetime, and this study demonstrates how a relatively new programming technique can be used to take control of a voting machine that was designed to resist takeover, but that did not anticipate this new kind of malicious programming,” said Hovav Shacham.

Shacham is professor of computer science at UC San Diego’s (UC-SD )Jacobs School of Engineering and study co-author. His study demonstrates that return-oriented programming can be used to execute vote-stealing computations by taking control of an EVM designed to prevent code injection.

The computer scientists had no access to the machine’s source code – or any other proprietary information – when designing the demonstration attack.

By using just the information that would be available to anyone who bought or stole a voting machine, the researchers addressed a common criticism made against voting security researchers: that they enjoy unrealistic access to the systems they study.

“Based on our understanding of security and computer technology, it looks like paper-based elections are the way to go. Probably the best approach would involve fast optical scanners reading paper ballots. These kinds of paper-based systems are amenable to statistical audits, which is something the election security research community is shifting to,” said Shacham.

“You can actually run a modern and efficient election on paper,” he said.

“If you are using electronic voting machines, you need to have a separate paper record at the very least,” he added.

There findings were presented at the 2009 Electronic Voting Technology Workshop.